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IN THE CLAIMS: 



Pending claims follow: 



L 



(Currently Amended) A method for providing content-based 



intrusion detection for a computer system by using an agile kernel-based auditing 
system, comprising: 

receiving an audit specijlcation; 

v^herein the audit specification specifies at least one target attribute to be 
recorded from a set of possible target attributes during an auditing process by the 
auditing system; 

wherein the audit specification also specifies at least one auditing criterion 
that triggers recording of the at least one target attribute during the auditing 
process; 

configuring the auditing system to record the at least one target attribute in 
response to detecting the at least one auditing criterion; 

running the auditing system to produce an audit log by recording the at 
least one target attribute in response to detecting the at least one auditing criterion; 
and 

examining the audit log to detect patterns for intrusion detection purposes; 

wherein a size of the audit log is reduced when the auditing system is run 

prior to the examination for detection of the patterns . 

2. (Original) The method of claim 1, further comprising: 
detecting an event during the auditing process; and 
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in response to detecting the event, dynamically adjusting the auditing 
system during the auditing process to change the at least one auditing criterion 
and/or the at least one target attribute for subsequent operation of the auditing 
system. 

3. (Original) The method of claim 1 , wherein the auditing system is 
configured to modify a system call jump table to cause at least one selected 
system call to execute code that causes the at least one target attribute to be 
recorded in response to detecting the at least one auditing criterion. 

4. (Currently Amended) The method of claim 1, wherein the at least 
one target attribute OQn includes: 

an argument from a system call; 

a parameter of a process making the system call; 

data read during the system call; 

data written during the system call; 

a parameter of a file involved in the system call; and 

a parameter relating to a network communication involved in the system 

call. 

5. (Currently Amended) The method of claim 1 , wherein configuring 
the auditing system to record the at least one target attribute involve s comprises : 

compiling the audit specification to produce a kernel module; 

loading the kernel module into a kernel of an operating system of the 
computer system; and 

linking code from within the kernel module into system calls within the 
operating system. 
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6. (Currently Amended) The method of claim 1 , wherein the at least 
one auditing criterion ean includes: 

a user identifier for a process that is making a system call; 
an identifier for an application program from which the system call is 
being made; and 

an identifier for a file being accessed by the system call 

7. (Currently Amended ) The method of claim 1, wherein producing 
the audit log invelvescomprises filtering the at least one target attribute to reduce 
an amount of data stored in the audit log. 

8. (Currently Amended) The method of claim 1, wherein producing 
the audit log involvoa comDrises : 

determining at least one characteristic of the at least one target attribute; 

and 

recording the at least one characteristic in the audit log. 

9. (Original) The method of claim 1 , wherein the audit specification 
is received firom one of: 

a user of the auditing system; and 

an intrusion detection mechanism. 

10. (Currently Amended) A computer-readable storage medium storing 
instructions that when executed by a computer cause the computer to perform a 
method for providing content-based intrusion detection for a computer system by 
using an agile kernel-based auditing system, the method comprising: 
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receiving an audit specification; 

wherein the audit specification specifies at least one target attribute to be 
recorded from a set of possible target attributes during an auditing process by the 
auditing system; 

wherein the audit specification also specifies at least one auditing criterion 
that triggers recording of the at least one target attribute during the auditing 
process; 

configuring the auditing system to record the at least one target attribute in 
response to detecting the at least one auditing criterion in response to detecting the 
at least one auditing criterion; 

running the auditing system to produce an audit log by recording the at 
least one target attribute; and 

examining the audit log to detect patterns for intrusion detection purposes; 

wherein a size of the audit log is reduced when the auditing system is run 

prior to the examination for detection of the patterns . 

1 1 . (Currently Amended) The computer-readable storage medium of 
claim 10, wherein the method further comprises: 

detecting an event during the auditing process; and 
in response to detecting the event, dynamically adjusting the auditing 
system during the auditing process to change the at least one auditing criterion 
andf^or the at least one target attribute for subsequent operation of the auditing 
system. 

12. (Original) The computer-readable storage medium of claim 10, 
wherein the auditing system is configured to modify a system call jump table to 
cause at least one selected system call to execute code that causes the at least one 




Docket: NAI1P250_00.024.01 -5- 



PACE 8/20 " RCVD AT 12/11f2003 $:49:44 PM [Eastern Standard Time] ** SVR:USPT0-EFXRF-1/1 DNIS:8729306 " CSID:408 971 4960 * DURATION (mm-ss):05-38 



Dec 11 03 03:49p 



SVIPG 



408 371 4BG0 



P-9 



target attribute to be recorded in response to detecting the at least one auditing 
criterion, 

1 3 . (Currently Amended) The computer-readable storage medium of 
claim 10, wherein the at least one target attribute ean includes: 

an argument from a system call; 

a parameter of a process making the sj^em call; 

data read during the system call; 

data written during the system call; 

a parameter of a file involved in the system call; and 

a parameter relating to a network communication involved in the system 

calL 

1 4. {Currently Amended) The computer-readable storage medium of 
claim 10, wherein configuring the auditing system to record the at least one target 
attribute involvos comprises : 

compihng the audit specification to produce a kernel module; 

loading the kernel module into a kernel of an operating system of the 
computer system; and 

linking code firom within the kernel module into system calls within the 
operating system. 

15. (Currently Amended) The computer-readable storage medium of 
claim 10, wherein the at least one auditing criterion em includes: 

a user identifier for a process that is making a system call; 
an identifier for an application program from which the system call is 
being made; and 
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an identifier for a file being accessed by the system call. 

16. (Currently Amended) The computer-readable storage medium of 
claim 1 0, wherein producing the audit log involvos comprises filtering the at least 
one target attribute to reduce an amount of data stored in the audit log. 

1 7. (Currently Amended) The computer-readable storage medium of 
claim 10, wherein producing the audit log mvolv e s comprises : 

determining at least one characteristic of the at least one target attribute; 

and 

recording the at least one characteristic in the audit log. 

1 8. (Original) The computer-readable storage medium of claim 1 0, 
wherein the audit specification is received from one of: 

a user of the auditing system; and 
an intrusion detection mechanism. 

1 9. (Currently Amended) A apparatus for providing content-based 
intrusion detection for a computer system by using an agile kernel-based auditing 
mechanism, comprising: 

an auditing mechanism that is configured to audit system calls; 

a receiving mechanism tliat is configured to receive an audit specification; 

wherein the audit specification specifies at least one target attribute to be 
recorded from a set of possible target attributes during an auditing process by the 
auditing mechanism; 
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wherein the audit specification also specifies at least one auditing criterion 
that triggers recording of the at least one target attribute during the auditing 
process; 

an initiahzation mechanism that configures the auditing mechanism to 
record the at least one target attribute in response to detecting the at least one 
auditing criterion; 

wherein the auditing mechanism is configured to produce an audit log by 
recording the at least one target attribute in response to detecting the at least one 
auditing criterion; and 

an intrusion detection mechanism that is configured to examine the audit 
log to detect patterns for intrusion detection purposes; 

wherein a size of the audit log is reduced when the auditing mechanism is 

run prior to the examination for detection of the patterns . 

20. (Currently Amended) The apparatus of claim 19, wherein the 
initialization mechanism is further configured to: 

detect an event during the auditing process; and 

in response to detecting Ihe event, to dynamically adjust the auditing 
mechanism during the auditing process to change the at least one auditing 
criterion enB^or the at least one target attribute for subsequent operation of the 
auditing mechanism. 

21. (Original) The apparatus of claim 19, wherein the auditing 
mechanism is configured to modify a system call jump table to cause at least one 
selected system call to execute code that causes the at least one target attribute to 
be recorded in response to detecting the at least one auditing criterion. 
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22. (Currently Amended) The apparatus of claim 19, wherein the at 
least one target attribute can 

includes: 
an argument jfrom a system call; 
a parameter of a process making the system call; 
data read during the system call; 
data written during the system call; 
a parameter of a file involved in the system call; and 
a parameter relating to a network communication involved in the system 

call. 

23. (Original) The apparatus of claim 19, wherein the auditing 
mechanism is configured to: 

compile the audit specification to produce a kernel module; 

load the kernel module into a kernel of an operating system of the 
computer system; and to 

link code from within the kernel module into system calls within the 
operating system. 

24. (Currently Amended ) The apparatus of claim 1 9, wherein the at 
least one auditing criterion includes: 

a user identifier for a process that is making a system call; 
an identifier for an apphcation program firom which the system call is 
being made; and 

an identifier for a file being accessed by the system call. 
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25. (Original) The apparatus of claim 19, wherein the auditing 
mechanism is configured to produce the audit log by filtering the at least one 
target attribute to reduce an amount of data stored in the audit log, 

26. (Currently Amended) The apparatus of claim 19, wherein the 
auditing mechanism is configured to produce the audit log bv operations 
comprising : 

determining at least one characteristic of the at least one target attribute; 



and 



recording the at least one characteristic in the audit log. 



27. (Original) The apparatus of claim 19, wherein the audit 
specification is received from one of: 

a user of the auditing mechanism; and 
the intrusion detection mechanism. 
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